HTTP

This plugin allows preventing large families of HTTP-based application attacks. The various analyses that this plugin performs (in particular RFC compliance checks), validation of encoding in URLs or checks on URL size or requests, allow you to block attacks such as Code RED, Code Blue, NIMDA, HTR, WebDav, Buffer Overflow or even Directory Traversal…

Managing buffer overflows is fundamental at Stormshield Network, which is why defining the maximum sizes allowed for HTTP buffers is particularly detailed.

“IPS” tab

Automatically detect and inspect the protocol

If this protocol has been enabled, it will automatically be used for discovering corresponding packets in filter rules.

Search engine options

Enable search engine filter (Safesearch)

This mechanism allows excluding websites, documents or images that are explicitly inappropriate or undesirable from the results of web searches conducted on the main search engines (Google, Bing, Yahoo)

YouTube content restriction

In this field, the type of restriction to be placed on results of video searches on the YouTube platform can be selected:

  • "strict" means that inappropriate videos can be filtered,
  • "moderate" will return the most relevant results and may therefore allow the display of inappropriate videos.
Google services and accounts allowed

 

This option allows restricting access to Google services and accounts by entering only authorized domains in this list.

Enter the domain with which you have signed up to Google Apps, as well as any secondary domains you might have added to it. Users accessing Google services from an unauthorized account will be redirected to a Google block page.

 

The way this option works is the firewall intercepts SSL traffic toward Google and adds the HTTP header “X-GoogApps-Allowed-Domains” to it, the value of which is the list of authorized domain names, separated by commas. For more information, please refer to the following link:

FR https://support.google.com/a/answer/1668854?hl=fr

EN https://support.google.com/a/answer/1668854?hl=en

NOTE 

SSL inspection has to be enabled in the filter policy for this feature to work.

HTML/JavaScript analyses

Inspect HTML code

Any page containing HTML content that is likely to be malicious will be blocked.

Max. length for a HTML tag (Bytes)

Maximum number of bytes for an attribute of a HTML tag (Min : 128; Max: 65536).

Inspect JavaScript code

In order to prevent malicious content from damaging dynamic and interactive web pages that use JavaScript programming, a scan will be conducted in order to detect them.

 

In the same way as for the option Inspect HTML code, if this option is selected, a page containing JavaScript content that is likely to be malicious will be blocked.

Automatically delete malicious content

Instead of prohibiting the TCP connection, the scan will erase the malicious content (e.g. attribute, HTML marker) and allow the rest of the HTML page to pass through.

 

Example of malicious behavior: Redirection without your knowledge, to a website other than the site you had intended to visit.

NOTE

Selecting this checkbox will disable the Enable on-the-fly data decompression option.

Enable on-the-fly data decompression

When HTTP servers present compressed pages, enabling this option will allow decompressing data and inspecting it as and when it passes through the firewall. Since no data will be rewritten, this operation will not cause any additional delay.

NOTE

Selecting this checkbox will disable the Automatically delete malicious content option

List of exceptions to the automatic deletion of malicious code (User-Agent)

This list displays the browsers and their data, which will not be automatically deleted by the earlier option mentioned above. It is possible to Add or Delete elements to or from this list by clicking on the relevant buttons.

Authentication

Verify user legitimacy

If this option is selected, you will be enabling user authentication via the HTTP "Authorization" header. The HTTP plugin will therefore be capable of extracting the user and comparing it against the list of users authenticated on the firewall.

When no authenticated users match, the packet will be blocked.

Advanced properties

URL: maximum size of elements (in bytes)

Imposing a maximum size for elements (in bytes) allows countering buffer overflow attacks.

URL (domain+path)

Maximum size of a URL, domain name and path inclusive [128 – 4096 bytes]

Per parameter (after the '?' [argument])

Maximum size of a parameter in a URL [128 – 4096 (bytes)]

Full query (URL + parameters) 

Maximum number of bytes for the full query:

http://URLBuffer ?QueryBuffer [128 – 4096] (bytes)]

URL

Max. nb of parameters (after '?')

Maximum number of parameters in a URL (Min: 0 ; Max: 512).

HTTP headers: maximum size of elements (in bytes)

Number of lines per client request

Maximum number of lines (or headers) that a request can contain, from the client to the server (Min:16; Max: 512).

Number of ranges per client request

Maximum number of ranges that a response can contain, from the server to the client (Min: 0; Max: 1024).

Number of lines per server response

Maximum number of lines (or headers) that a response can contain, from the server to the client (Min: 16; Max: 512).

Maximum size of HTTP headers (in bytes)

AUTHORIZATION field

Maximum number of bytes for the AUTHORIZATION field, including formatting attributes. (Min: 128; Max: 4096).

CONTENTTYPE field

Maximum number of bytes for the CONTENTTYPE field, including formatting attributes. (Min: 128; Max: 4096).

HOST field

Maximum number of bytes for the HOST field, including formatting attributes. (Min: 128; Max: 4096).

COOKIE field

Maximum number of bytes for the COOKIE field, including formatting attributes. (Min: 128; Max: 8192).

Other fields

Maximum number of bytes for others field, including formatting attributes. (Min: 128; Max: 4096).

HTTP session parameters (in seconds)

Maximum request duration

Set to 30 seconds by default (Max: 600 seconds).

HTTP protocol extensions

Allow Shoutcast support

This option allows transporting sound over HTTP.

 

Examples: Webradio, webtv.

Allow WebDAV connections (reading and writing)

This option allows adding writing and locking features to HTTP, and also allows securing HTTPS connections more easily.

Allowed HTTP commands

List of allowed HTTP commands (in CSV format). All commands included may not exceed 126 characters. It is possible to Add or Delete commands using the respective buttons.

Prohibited HTTP commands

List of prohibited HTTP commands (in CSV format). All commands included may not exceed 126 characters. It is possible to Add or Delete commands using the respective buttons.

Support

Disable intrusion prevention

When this option is selected, the scan of the HTTP protocol will be disabled and traffic will be authorized if the filter policy allows it

Log each HTTP request

Enables or disables the logging of POP3 requests.

“Proxy” tab

Connection

Keep original source IP address

When a request is made by a web client (browser) to the server, the firewall will intercept it and check that the request complies with URL filter rules and then relays the request.

 

If this option is selected, the new request will use the original source IP address of the web client that sent the packet. Otherwise, the firewall’s address will be used.

URL Filtering ( Extended Web Control base only)

Action when classification of URL failed

The choice is either Pass or Block.If a URL has not been listed in a URL category, this action will determine whether access to the site will be authorized.

Allow IP addresses in URLs

An option allows authorizing or denying the use of IP addresses in the URL, meaning access to a website by its IP address instead of its domain name. Such a method may be an attempt to bypass URL filtering.

If the option has not been selected and the URL queried (containing an IP address) cannot be classified by the URL filtering system, its access will be blocked. However, this option has been designed to be applied after the evaluation of the filter.

 

As a result, internal servers that are contacted by their IP addresses will not be blocked if their access has been explicitly authorized in the filter policy (different from the pass all policy). Such access can be authorized via the firewall’s basic Network objects (RFC5735) or the “Private IP” group in the EWC URL database.

NOTE

Regardless of whether the previous option has been selected, an IP address expressed differently from the format a.b.c.d will be systematically blocked.

HTTP protocol extensions

Allow WebDAV connections (reading and writing)

WebDAV is a set of extensions to the HTTP protocol concerning the edition and collaborative management of documents. If this option has been selected, the WebDav protocol will be authorized in the Stormshield Network Firewall.

Allow TCP tunnels (CONNECT method)

The CONNECT method allows building secure tunnels through proxy servers.

 

If this option has been selected, the CONNECT method will be authorized in the Stormshield Network Firewall.

TCP tunnels: List of allowed destination ports

In this zone, specify the types of service that can use the CONNECT method.

Destination port (service object)

The Add button allows you to add services objects database.

 

To modify a service, select the line to be modified and make changes.

 

Use the Delete button to delete the selected service.

Advanced properties

Protection quality

Check URL encoding

By selecting this option, the filter policy cannot be bypassed.

Traffic sent to the server

Add authenticated user to HTTP header

If the external HTTP proxy requires user authentication, the administrator can select this option to send data regarding the user (collected by the firewall’s authentication module) to the external proxy.

Explicit proxy

The explicit proxy allows referencing the firewall’s proxy in a browser and sending HTTP requests directly to it.

Enable "Proxy-Authorization" (HTTP 407) 'authentication

The browser will prompt the user to authenticate through a message window and the connection information will be relayed to the firewall via the HTTP header.

NOTE

The "Proxy-Authorization" (HTTP 407) authentication method via the browser does not allow the SSL (certificates) and SPNEGO methods as they do not involve the authentication portal, even though it needs to be enabled.

 

For further information, refer to the help for the Authentication module, in the section “Transparent or explicit HTTP proxy and Multi-user networks”

“ICAP” tab

HTTP response (reqmod)

The ICAP protocol targets mainly web and mail content. It provides HTTP proxies (for web) and SMTP relays (for mail) with an interface.

Send HTTP requests to the ICAP server

Each client request to a website is sent to the ICAP server.

ICAP Server

Server

Indicates the ICAP server.

ICAP Port

Indicates the ICAP port.

Name of ICAP service

Indicates the name of the service to set up. This information varies according to the solution used, the ICAP server as well as the port used.

Authentication  on the ICAP server

Information available on the firewall can be used for performing ICAP services.

Example

It is possible to define in an ICAP server that a certain site is intended for a certain user. In this case, you will be able to filter according to an LDAP ID or an IP address.

Send the username/group name

This option allows using information relating to the LDAP base (especially the logins of authenticated users).

Send client’s IP address

This option allows using IP addresses of HTTP clients who send requests to Adapter (object used for translating between the ICAP format and the requested format).

Advanced properties

Whitelist (will not be sent to the ICAP server)

HTTP server (Host – Network – Address range)

Adds hosts, networks or address ranges whose details will not be sent to the ICAP server. These items can be deleted from the list at any time.

“Analyzing files” tab

Transferring files

Partial download

When a download is incomplete, for example, due to a connection failure during a file download via HTTP, the user can continue to download from where the error occurred, instead of having to download the whole file again. This is called a partial download – the download does not correspond to a whole file.

 

The option Partial download allows defining the behavior of the firewall’s HTTP proxy towards this type of download.

 

  • Block: partial downloads are prohibited
  • Block if antivirus has been enabled: partial downloads are allowed except if the traffic corresponds to traffic that is inspected by a rule with an antivirus scan.
  • Pass: partial downloads are authorized but there will not be any antivirus scan.
File size limit [0-2147483647(KB)]

When files downloaded off the internet via HTTP get too huge, they can deteriorate the internet bandwidth for quite a long stretch of time.

 

To avoid this situation, indicate the maximum size (in KB) that can be downloaded by HTTP.

URLs excluded from the antivirus scan

A URL category or category group can be excluded from the antivirus scan. By default, there is a URL group named antivirus_bypass in the object database containing Microsoft update sites.

File filter (MIME type)

Status

Indicates whether a file is active or inactive. 2 positions are available: “Enabled” or “Disabled”.

Action

Indicates the action to be taken for the file in question, out of 3 possibilities:

 

  • Detect and block viruses: The file will be scanned in order to detect viruses that may have infected the files. These viruses will be blocked.
  • Pass without analyzing files: The file can be downloaded freely without any antivirus scans being performed.
  • Block: The download is prohibited.
MIME type

Indicates the file content type. This could be text, an image or a video, to be defined in this field.

 

Examples:

“text/plain*”

“text/*”

“application/*”

Maximum size for antivirus and sandboxing scan (KB)

This field corresponds to the maximum size of files that will be scanned. The default size depends on the firewall model:

  • S model (SN160(W), SN210(W) and SN310): 4000 Ko.
  • M model (SN510, SN710 and SNi40): 8000 Ko.
  • L model (SN910): 16000 Ko.
  • XL model (EVA1, EVA2, EVA3,EVA4, EVAU, SN2000, SN2100, SN3000, SN3100, SN6000 and SN6100): 32000 Ko.

Actions on files

When a virus is detected

This field contains 2 options. By selecting “Block”, the analyzed file will not be sent. By selecting “Pass”, the antivirus will send the file in its original form.

When the antivirus scan fails

This option defines the behavior of the antivirus module if the analysis of the file it is scanning fails.

 

Example:

The file could not be scanned as it has been locked.

 

If Block has been specified, the file being scanned will not be sent.

If Pass without scanning has been specified, the file being scanned will be sent.

When data collection fails

This option defines the behavior of the antivirus module when certain events occur. It is possible to Block traffic when information retrieval fails, or Pass without scanning.

 

Example:

If the hard disk has reached its capacity, information will not be downloaded.

"Sandboxing" tab

Sandboxing

Status

This column displays the status (Enabled/Disabled) of sandboxing for the corresponding file type. Double-click on it to change its status.

File types

The sandboxing option allows scanning four types of files:

  • Archive: these include the main types of archives (zip, arj, lha, rar, cab, etc)
  • Office document (Office software): all types of documents that can be opened with the MS Office suite.
  • Executable: files that can be run in Windows (files with the extension ".exe",".bat",".cmd",".scr", etc).
  • PDF: files in Portable Document Format (Adobe).
  • Flash (files with the extension ".swf").
  • Java (compiled java files. Example: files with a ".jar" extension).
Max size of scanned files (KB) This field allows defining the maximum size of files that need to be sandboxed. By default, this value is equal to the one in the Maximum size for antivirus and sandboxing scan (KB) field in the File analysis tab. This value cannot be exceeded.

Actions on files

When known malware has been identified This field contains 2 options. By selecting “Block”, the analyzed file will not be sent. By selecting “Pass”, the file will be sent in its original form.
When sandboxing fails

This option defines the behavior of the sandboxing option if the file scan fails.

 

If Block has been specified, the file being scanned will not be sent.

If Pass without scanning has been specified, the file being scanned will be sent.